Bug#1098207: openssh-client: refuses to edit known_hosts if it contains ssh-dss keys

[brian m. carlson]

Package: openssh-client
Version: 1:9.9p1-3
Severity: minor

I have a `~/.ssh/known_hosts` file that has been copied over (along with
my home directory) from every machine I've had (for probably well over a
decade, if not two).  Consequently, it has lots of host keys in it.  I
was attempting to edit the file using `-R` and got an error message:

    % ssh-keygen -f '/home/bmc/.ssh/known_hosts' -R 'localhost'
    /home/bmc/.ssh/known_hosts:385: invalid line
    /home/bmc/.ssh/known_hosts:494: invalid line
    # Host localhost found: line 550
    # Host localhost found: line 551
    # Host localhost found: line 552
    /home/bmc/.ssh/known_hosts is not a valid known_hosts file.
    Not replacing existing known_hosts file because of errors

It turns out that lines 385 and 494 had host keys that were ssh-dss.

To be clear, I am not arguing that we should allow or process DSA keys,
since they are definitely insecure, and running `ssh -Q key` shows that
they have been removed from OpenSSH, which, again, I agree with.

I do, however, think that it would be a better user experience if we
could skip those keys and continue the operation in this case, since
they used to be valid and there are many people who probably have them
still in `known_hosts`.  My suggestion would be to leave them as-is, but
removing them would probably also be fine.

The workaround, of course, is to remove those keys, and then the
operation will succeed.


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.13-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.40-7
ii  libedit2          3.1-20250104-1
ii  libfido2-1        1.15.0-1+b1
ii  libgssapi-krb5-2  1.21.3-4
ii  libselinux1       3.8-3
ii  libssl3t64        3.4.1-1
ii  passwd            1:4.17.2-4
ii  zlib1g            1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1.1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
pn  monkeysphere                     <none>
ii  ssh-askpass-gnome [ssh-askpass]  1:9.9p1-3

-- no debconf information

-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

signature.asc
Description: PGP signature